I get emails from CSF every time it blocks someone. Here's one I got this morning:
Time: Sat Jan 19 10:17:24 2013 -0800
IP: <REDACTED> (US/United States/-)
Hits: 21
Blocked: Temporary Block
Sample of block hits:
Jan 19 10:16:28 red kernel: [6727856.279786] Firewall: *TCP_IN Blocked* IN=venet0 OUT= MAC= SRC=<REDACTED> DST=<REDACTED> LEN=48 TOS=0x00 PREC=0x00 TTL=52 ID=47609 DF PROTO=TCP SPT=40954 DPT=587 WINDOW=65535 RES=0x00 SYN URGP=0
Jan 19 10:16:30 red kernel: [6727858.716317] Firewall: *TCP_IN Blocked* IN=venet0 OUT= MAC= SRC=<REDACTED> DST=<REDACTED> LEN=64 TOS=0x00 PREC=0x00 TTL=52 ID=40975 DF PROTO=TCP SPT=43688 DPT=587 WINDOW=65535 RES=0x00 SYN URGP=0
Jan 19 10:16:31 red kernel: [6727859.809269] Firewall: *TCP_IN Blocked* IN=venet0 OUT= MAC= SRC=<REDACTED> DST=<REDACTED> LEN=64 TOS=0x00 PREC=0x00 TTL=52 ID=56375 DF PROTO=TCP SPT=43688 DPT=587 WINDOW=65535 RES=0x00 SYN URGP=0
..... (It continues on with more of the same)
The way I'm reading this is that this particular IP (SRC, right?) got blocked because of excessive hits to port 587 (DPT, right?) (which is SMTP). Am I correct? Are there any other important bits I should know how to read? Google wasn't helping when I tried to learn how to decipher these things.
And then the matter of interpreting: This happens to be my business partner's IP. He says he wasn't sending any emails at the time. Any theories on what could be going on?
As you have seen that someone was trying to connect your server on port 587 with incorrect login details, so csf/lfd has blocked that IP.
In the same way might your partner has incorrect attempts for cpanel/mail and Ip has blocked, you can check same as:
or
and if you see entry in csf.deny or csf.tempip then remove that entry to unblock that ip.